#3866 closed defect (fixed)

Server crashing sometimes from large values in twkb encoding

Reported by: nicklas Owned by: nicklas
Priority: medium Milestone: PostGIS 2.3.4
Component: postgis Version: 2.3.x
Keywords: Cc:

Description

The attached geometry writes beyond the buffer.

In some cases it crashes the server.

It is caused from a large value that encodes to a variable integer of 10 bytes instead of the expected max 8 bytes. Most of the time this doesn't do any harm. But if the preceding point leaves exactly 8 bytes left in the buffer, the space check will not reallocate and writing 9 or 10 bytes will cause writing beyond the buffer.

Attachments (1)

test.sql (174.6 KB) - added by nicklas 20 months ago.

Download all attachments as: .zip

Change History (7)

Changed 20 months ago by nicklas

Attachment: test.sql added

comment:1 Changed 20 months ago by nicklas

increased the expected max size of variable integer to 16 bytes instead of 8 bytes.

That should always be enough since the value gets truncated by casting to int64_t before encoding to variable integer

fixed in trunk r15817

comment:2 Changed 20 months ago by nicklas

fixed in 2.2 and 2.3 with r15836 and r15837

comment:3 Changed 20 months ago by nicklas

Resolution: fixed
Status: assignedclosed

comment:4 Changed 20 months ago by robe

Resolution: fixed
Status: closedreopened

need to put this in NEWS for 2.2 and 2.3. For 2.4 not necessary.

comment:5 Changed 20 months ago by pramsey

In 15838:

TWKB news item (References #3866)

comment:6 Changed 20 months ago by pramsey

Resolution: fixed
Status: reopenedclosed

In 15839:

TWKB news item (Closes #3866)

Note: See TracTickets for help on using tickets.